9

I'm trying to design an Android Analytic service where every user's application who register in this service needs to download our SDK. The SDK itself need to communicate with our API server. The point where I ran into the problem, is that I don't know how to implement a proper way of authentication for each application in order to be able to communicate with our API server.

I have already generate a unique API key for each user's application, but I don't know how to handle the authentication process, since if we assume the API key as the only factor of authentication it can be easily stolen by the hacker.

In the other hand, I read that JWT would be the best case, but whats difference by sending the API-Keys and getting the Access-Token where again both of them can be easily stolen? now should I use OAuth 2.0 or something else?

Any ideas would be appreciated...

iSun
  • 199
  • 1

2 Answers2

1

JWTs can be expired. (They should be on a regular basis, or based on certain user actions). Then a new JWT can be issued. But ultimately, if the JWT is stolen and not yet expired, you've been compromised. At the end of the day, if you're going to maintain state, the client needs to hold on to something, session cookie, jwt, whatever...

I would recommend you implement a way to expire and re-administer API keys. Here's an answer with a great summary of best practices. How to implement an API-Key-Mechanism

Community
  • 1
jbd
  • 111
  • 2
0

One of my colleagues mentioned APIMAN (from RedHat) to me today, which seems to be what you need. It has an authentication layer among other useful features.

HTKLee
  • 1,812
  • 15
  • 30